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Abstract 



Simon [3im97] as extended by Brassard and H0yer [BH97] shows that there are 
tasks on which polynomial-time quantum machines are exponentially faster than each 
classical machine infinitely often. The present paper shows that there are tasks on 
which polynomial-time quantum machines are exponentially faster than each classical 
machine almost everywhere. 



1 Introduction 

One issue of broad importance in the area of quantum computing is to gain an under- 
standing of exactly what potential quantum computers hold, i.e., what superiority over 
classical computers they offer. Work of Simon [ 5im97 |, as extended by Brassard and 



Hpyer | BH97f f| is often cited as evidence for the potential superiority of quantum com- 
putation over classical computation. Their work shows that for computation relative to a 
black-box function (also sometimes referred to as a promise function) there are problems on 
which exact (i.e., worst-case polynomial time with zero error probability, see, e.g., | BH97[ ) 
polynomial-time quantum computation is infinitely often exponentially faster than each 
deterministic — or even bounded-error probabilistic — classical computer solving the prob- 
lem. 



Berthiaume and Brassard [BB94] raised and studied the issue of whether one can ob- 
tain far more decisive separations: separations where quantum computation is superior on 
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all but a finite number of inputs. That is, they sought to bring to the quantum-versus- 
classical computation question the very strong type of separation known in complexity 
theory as almost-everywhere separations [ GHS87 , GHS91 ABHH93| ] , Berthiaume and Bras- 



sard |BB94 | obtained the remarkable result that there are tasks that can be done in exact 
exponential time on quantum machines but on which each classical deterministic machine 
requires double exponential time almost everywhere. 

However, neither the Berthiaume-Brassard result nor the technique of its proof works 
for quantum polynomial time. (Such results tend to be far harder to obtain for small time 
classes than for large ones.) Also, their result is for deterministic (not bounded-error prob- 
abilistic) classical computing. Additionally, the Simon result leaves open the possibility 
(which in fact is the case that holds, as first discussed by Berthiaume and Brassard) that 
for some classical computers solving the problem there are infinitely many inputs on which 
quantum computing is not interestingly faster on these problems. In fact, quantum com- 
puting in Simon's construction is superior of classical computing on only an exponentially 
small portion of the inputs. 

In contrast, the present paper shows that there are problems on which exact quantum 
polynomial-time computing is exponentially superior to classical computing almost every- 
where. In particular, we show that for computation relative to a black-box function there 
are problems solved in exact polynomial-time by quantum computers but on which every 
deterministic — or even bounded-error probabilistic — classical computer solving the problem 
requires exponential time on all but a finite number of inputs. 

2 History and Discussion 

This section provides a more detailed history and discussion of the background and 
related results than does Section [j]. Reading this section is not needed to understand the 
results of Section |J| 

2.1 Simon and Infinitely- Often Superiority for Quantum Computing 

Tremendously exciting new models of computation — quantum computing and DNA- 
computing — have become one strong focus of theoretical computer science research. Re- 
searchers dearly want to know whether these models, at least in certain settings, offer 
computational properties (most particularly, quick run-time) superior to what is offered by 
classical computational models. 

Of course, even such an exciting model as quantum computing has limitations (see, e.g., 



the elegant lower-bound approach of Beals et al. [ BBC + 98|| ). However, let us here consider 
the highlights of what is known suggesting the superiority of quantum computing. The three 
most famous lines of work are those of Shor [Sho97], Grover (JGro96], see also [ BBHT9q ]), 



and Simon ([ {Sim97 |, see also [ BH97| ) 



Grover shows that quantum computing can do certain search problems at a quadratically 
faster exponential speed than one intuitively would expect in classical computing. Shor 
shows that factoring (and other interesting problems) can be done in expected polynomial 
time in the quantum model. These are both undeniably impressive results. However, note 
that it is at least plausible that classical, deterministic computing can seemingly have the 
effect of searching through huge numbers of possibilities very quickly (for example, testing 
satisfiability) and can factor very quickly; for example, if P = NP, NP-like search problems^] 
and factoring are easily in P (though clearly not by going through all the possibilities 
anywhere near a brute- force way). 

In contrast, Simon | Sim97| shows that for computing with respect to a black-box function 



there are problems for which quantum polynomial-time bounded-error computing provably 
is exponentially faster than classical deterministic computing or even classical bounded- 



error computing. Brassard and H0yer [BH97] improved the upper bound to obtain that 



for computing with respect to a black-box function there are problems for which exact 
quantum polynomial-time computing is exponentially faster than classical deterministic 
computing or even classical bounded-error computing; in particular, there are problems in 
exact polynomial time (which we will refer to as QP, see [ |BH97 ], though it sometimes is 



denoted EQP) such that each bounded-error classical Turing machine solving them requires 
exponential time on infinitely many inputs. 

2.2 Limitations of Simon's Result 

As described in the previous subsection, Simon-Brassard-H0yer show, for computing 
with respect to a black-box function, the infinitely-often exponential superiority of exact 
quantum polynomial-time computing over classical deterministic computing (and even over 
classical bounded-error computing), on a particular problem. Since we will always speak of 
computing with respect to a black-box function that may have a promise, we will henceforth 
stop mentioning that and take it to be implicit from context as is standard in the literature. 

Are there any worries or limitations to Simon's work? Simon (when one tightens his 
upper bound to QP via the work of Brassard-H0yer) gives an "infinitely often" result: 
a problem that is in QP but such that each classical bounded-error machine solving the 
problem takes exponential time on infinitely many inputs. However, "infinitely many" says 
no more than it seems to. In fact, for Simon's problem, there are classical deterministic 



2 To be fair to Grover, his result can plausibly be viewed instead as a black-box result. The key issue 
is whether the predicate, C(S), that he uses should be viewed as some polynomial-time evaluation or as 
a black-box predicate. He does not have to address this issue (his motivating example, SAT, satisfies the 
former but a parenthetical remark in his paper suggests the latter), as his results are valid either way and 
as he is improving the upper bound rather than establishing any lower bounds. In any case, note that in 
contrast to Simon's and the present paper's exponential superiority results, Grover's algorithm beats the 
obvious brute-force deterministic algorithm by a quadratic factor. 



machines that solve the problem essentially instantly (i.e., in n + 1 steps on inputs of length 
n) on the vast majority of inputs — in fact, on all but one input of each length. 

So, even though Simon proves infinitely- often superiority, in fact for his problem the 
superiority occurs only on an exponentially thin portion of inputs. In contrast, the present 
paper achieves exponential superiority for exact quantum polynomial time on all sufficiently 
long inputs (so, for example, each classical machine for the problem will take subexponential 
time on at most a finite set of inputs). 

This is well-motivated, as one issue of broad importance in the area of quantum com- 
puting is to gain an understanding of exactly what potential quantum computers hold, i.e., 
what superiority over classical computers they offer. 

Thus, it is not surprising that the relation between classical and quantum computing is 
currently under intense scientific scrutiny. We briefly mention some other works that have 
disclosed various facets of this relation and that exhibit, in different settings or different 
time classes, superiority in favor of quantum computing. As noted above, an early paper 



of Berthiaume and Brassard [BB94] raised the important issue of almost-every where hard- 
ness for quantum computing, and showed that there are tasks that can be done in exact 
exponential time on quantum machines but on which each classical deterministic machine 
requires double exponential time almost everywhere. In contrast, our paper achieves almost- 
everywhere separation for exact quantum polynomial time, and handles bounded-error as 



well as deterministic classical machines. Ambainis and de Wolf [dW98] have informed us 



that, independently of the work of this paper, which first appeared in | HHZ99 |, they have 
studied average-case separations with respect to the uniform distribution, their theorem 
related to this paper first appearing in [AdW99j] (the earlier "Version 1" of that report does 



not contain the related result; see also [AdWOO]). What is the relationship between their 



work and ours? Of course, almost-everywhere separation implies average-case separation in 
the standard sense, and thus our main result certainly implies average-case separation with 
respect to the uniform distribution. However, their paper is formally incomparable to ours 
as the models are exceedingly different (some ways in favor of the strength of their results, 
and some ways in favor of the strength of our results) , for example (in their section related 
to this paper, their Section 4): (1) their fast quantum algorithms are Las Vegas-type algo- 
rithms (and thus some computation paths may take far longer than polynomial time) rather 
than exact quantum algorithms, (2) their input is exponentially long relative to their "n" 
and so they are actually distinguishing quantum logarithmic query complexity from classical 
polynomial query complexity, (3) we are computing a total (for the specific oracle obtained 
in our proof) non-Boolean function and they are computing a total Boolean function (note 
that due to work of Beals et al. [ BBC + 98| it is known that in the query complexity model, 



which is the model of Beals et al. and of Ambainis and de Wolf but not of the present 
paper, superpolynomial query complexity gaps between quantum and classical computation 
cannot ever be obtained for total Boolean functions; but keep in mind that this does not 
speak directly to the issue of time complexity gaps in standard, non-(random access)-type- 



time-counting models) , (4) their model of input and queries is different than ours as in some 
sense their input is their oracle (and so uniform distribution must be viewed in this context) 
and their notion (see also [ BBC + 98[ | ) of query complexity essentially measures accessing the 



input itself, and (5) they study average-case complexity but we study almost-everywhere 
separations. Finally, we mention that in the important (but completely different) area of 
communication complexity, Raz [Raz99|] has shown that for promise problems there is an 



exponential gap between quantum communication complexity (which in particular is log- 
arithmic on his problem) and classical probabilistic communication complexity (which he 
gives a lower-bound on as a root of the input size). 

3 Almost-Everywhere Superiority for Quantum Polynomial 
Time 

Let us start by explicitly stating where we will go. Recall that, as is common, we will 



throughout this paper denote quantum exact polynomial time (see [|BH97f| ) by QP, though 
it sometimes in earlier papers is denoted EQP. Recall that what Simon's main theorem 
states (again, using here the Brassard-H0yer improvement of the upper bound to QP) is 
the following. 



Theorem 3.1 ( fi3im9 r i , Theorem 3.4] augmented by \BH9 r i ]) There is a constant e > 



and a (function) oracle O relative to which there is a language B in exact quantum 
polynomial time such that each bounded-error classical Turing machine accepting B requires 
time more than 2 en on infinitely many inputs. 

What we will prove is the following result, which extends the superiority from merely 
infinitely often to instead almost everywhere. 

Theorem 3.2 There is a constant e > and a (function) oracle O relative to which there 
is a problem B computable in exact quantum polynomial time such that each bounded-error 
classical Turing machine computing B requires time more than 2 en on all but a finite number 
of inputs. 

It follows immediately that this problem also demonstrates the almost-everywhere supe- 
riority of quantum computation over deterministic computation, when computing relative 
to a black-box function. 

Corollary 3.3 There is a constant e > and a (function) oracle O relative to which there 
is a problem B computable in exact quantum polynomial time such that each deterministic 
classical Turing machine computing B requires time more than 2 en on all but a finite number 
of inputs. 



Some comments are in order regarding Theorem |3,2| . First, we should mention that 
the computational task on which we prove almost everywhere exponential superiority for 
quantum computing is, in contrast with Simon's task, a function rather than a language. 
Second, we should explicitly define what we mean by a probabilistic function. 

Definition 3.4 We say a function f is bounded- error Turing computable in time T{n) (i.e., 
is in BPTIME [T(n)] ) iff there is an e > and a probabilistic Turing machine M running 
in time T{n) such that, on each x G £*, 

Prob(M(:r) = f(x)) > 1/2 + e. 

If M is a probabilistic Turing machine satisfying the above relation, we say that M has 
error probability at most 1/2 — e. 

Finally, we review a bit about Simon's result, as his result motivated our work, as 
we should credit him for the connections between his construction and ours, and as it is 
important to point out why the obvious transformation of his result does not give the result 
we seek. 

The key construction used by Simon is described in the statement of the following result. 



Theorem 3.5 ( ftSim9 r / , Theorem 3.3]) Let O be a (function) oracle constructed as fol- 



lows: for each n, a random n-bit string s(n) and a random bit b{n) are uniformly chosen 
from {0, l} n and {0, 1} ; respectively. If b(n) = 0, then the function f n : {0, l} n — ► {0, l} n 
chosen for O to compute on n-bit queries is a random function uniformly distributed over 
permutations on {0, l} n ; otherwise it is a random function uniformly distributed over two- 
to-one functions such that f n (x) = f n (x®s(n)) for all x, where © denotes bitwise exclusive- 
or. Then any PTM (probabilistic Turing machine) that queries O no more than 2 n ' 4 times 
cannot correctly guess b{n) with probability greater than (1/2) + 2~ n > 2 , over choices in the 
construction of 0\2 

Simon's "test language" that, based on this oracle, gives one the lower-bound of 



Theorem [3J] is quite simply the issue of testing the bit described above, that is, the test 
language that is in QP but on which bounded-error 2 eri -time classical Turing machines all 
err on infinitely many inputs is {l n | b(n) = 1}. 

It might be very tempting to exactly adopt the oracle O of Simon, but using instead 
of his test language the new test language: L = {w j b(\w\) = 1}. This change attempts to 
"smear" the difficulty of l n onto all strings of length n, and even attempts to achieve the 
language analog of our desired result. 



3 The statement here is taken exactly from Simon. There are some informalities in Simon's statement- 
the fact that what independence is assumed is not explicitly stated and that the case "6(n) = 1 A s(n) = 0" 
won't give an (exactly-2)-to-l function. 



Unfortunately, this provably does not work. Why? A PTM can use the information in 
the input to (very rarely, but often enough) help it guess s(n), in particular, certainly when 
it holds that both b(n) = 1 and the input happens to be s(re).Q 

So, our construction takes a different tack. Intuitively speaking, the above problem 
should be removed if we increase the information content of the xor-bitmask well beyond 
that which input strings can give away. To achieve this, we double the information content 
of the xor-bitmask string, and demand that our functions discover this string. 



Proof of Theorem |3.2| : We consider function oracles A of the following form: A is a 
collection of functions (/n, J 4)neN+ with the following properties: 

(i) / n ,A:{0,l}"-{0,l} n - 1 , 

(ii) f n .A is 2-to-l, 

(iii) there is a string s Ut A in {0, l} n — {0 n } such that for all x of length re, f n ,A(x © s n ,A) = 

fn,A( x )- 

Let A be the set of all such oracles. One can easily induce a probability measure on 
A. Indeed, A is the product of the sets (^j) iGN +, where, for each i € N + , Ai is the set 
of all functions / mapping {0, l} 4 into {0, l}* -1 and having the properties (i), (ii), and 
(iii). On each set Ai we consider the probability measure given by the uniform distribution 
and then we consider the product measure on A. This is identical to choosing, for each 
n independently, f n ^ according to the uniform distribution over all functions with the 
properties (i), (ii), and (iii). All the probabilistic considerations that follow will be relative 
to this probability measure. It is important to observe that choosing f n< A uniformly at 
random amounts to the selection of a random string s of length n and to the independent 
selection of a random permutation from {0, l} n_1 to {0, l} n_1 that dictates how the 2 ra_1 
pairs (u,u © s) n6 r un, ordered in some canonical way and identified with {0, l} n_1 , are 
mapped into {0, l} n_1 . 



4 Just to be explicit here for absolute clarity, and assuming in light of the comments in Footnote |3| that 
we never allow the choice "b(n) = 1 A s(n) = 0™," consider the PTM that on each input w does: 
{n= \w\; 

a = output of oracle O on input 0"; 
b = output of oracle O on input n ffi w; 
if a — b and w $. 0* then output "fe(|ui|) = 1 and s([w[) = w" else output "6(|w|) = 0."} 

This machine will, on an infinite number of inputs w (on each length n for which b(n) = 1, on the input 
that equals s(n); and for each length n for which b(n) — 0, on all inputs), correctly determine 6(|w|) with 
probability one (relative to the choices of the PTM). Of course, this machine is not correctly accepting 
L — {w | 6(|io|) = 1}, but the machine is enough to show that keeping Simon's oracle O and just adopting 
the test set L does not establish Simon's Theorem 3.5 in the analogous case that applies here, i.e., where 



any length n string w may be the input. We note that the PTM given does a bit more than this; on each n 
with b(n) — 1, we have at least one input on which the PTM not only knows b(n) but even discovers s(n). 



Let A £ A. We define gA , a function mapping strings of length n into strings of length 
2rc, by 

9a(w) = a 2 \ w \ >A , 

i.e., qa{w) is the unique string s with the property that for all x of length 2\w\, 

f2\w\,A( x © s ) = /2|w|,aO0- 



It follows from the work of Brassard and H0yer [ BH97| that there is a machine running 



in quantum polynomial time that computes gA for all A £ A. 
Later in this proof, we will prove the following claim. 

Claim 3.6 There is a set of oracles Bo having measure one in A, such that for every A € Bq 
and every deterministic oracle machine M the following holds: for almost every input w, 
M A either runs for more than 2' w '' 4 — 2 steps or does not calculate gA(w). 

To move to bounded error probability machines, we invoke the techniques that Bennett 
and Gill [BG81] used to prove P = BPP relative to a random oracle. An adaptation of 



their method shows the following. 

Claim 3.7 There is a set of oracles B\ having measure one in A, such that for any proba- 
bilistic oracle machine N and for any A inB\, there exists a deterministic oracle machine 
M with the following property: if N computes a function h with bounded error probability 
(in the sense of Definition 3.4), then on all sufficiently long inputs w on which N runs in 



time 2H/ 5 , M A {w) = h{w) and M A runs in time 2H/ 4 - 2. 



Claims gj and gj imply Theorem gj (with O G B n B u e = 1/5, and B = go)- 
For suppose for a contradiction that there exists a probabilistic oracle machine iV and 
O E Bo nB\, such that N° bounded-error computes go in the sense of Definitio n |3.4| and 
such that N runs in time 2' w <' 5 for infinitely many inputs w. Then, by Claim ^J, there 
exists a deterministic oracle machine M that, for infinitely many inputs w, calculates go{w) 
and runs in time 2' w '' 4: — 2. But that contradicts Claim |3.6| . 

For completeness and since there are some differences between our context and the one 



in the paper of Bennett and Gill [BG81], we will prove Claim 3/? in detail. In the proof, we 
will assume that all the oracles A are in A. If iV is a probabilistic oracle machine, A S A an 
oracle, and iV computes a function h with bounded error probability, we will write N (w) 
to denote h(w). 

Let N be a probabilistic oracle machine, let A be an oracle (in A), and let r be a rational 
number such that < r < 1/2 and N computes a function with error probability at most 
r. Let us fix, as a parameter, a positive integer k. 

If we iterate iV on input w a polynomial number of times (the polynomial depends on k 
and r), and, on each computation path, output the majority output among the polynomially 



many computations of N if a majority output exists (if not, we (arbitrarily) output 0), we 
get a new machine N', A that, on all oracles A on which TV has error probability at most r, 
computes the same function as N but with probability error at most (l/k)2~( 2 ' w < +1 > for 
every input w. 

For all oracles A, N' kr runs in time (1/2)2'*"" on all sufficiently long inputs w on which 
TV" is running in time 2> w " 5 . Also note that N' k queries strings of length at most 2' w '' 5 
on all the inputs w on which TV runs in time 2< w '' 5 . From N!, we build a deterministic 
machine M^^, r as follows. Machine Mn^,t on input w simulates Ni on input w and each 
time N' requires a random bit for doing a probabilistic step, Mjv,fe,r takes this bit to be 
the first bit of /t,A(0*), where t is the smallest integer > 2' w " 5 such that 0* has not been 
queried before during the simulation on input w. It is easy to check that for all strings w 
that are long enough, if N'A on w runs in time (l/2)2l ra l' 4 ' 5 , then M A . on w runs in time 
2' w <> 4 — 2. For each w, and each rational r with < r < 1/2, let Ejj krw be the class of 
oracles A on which N on input w runs in 2' w '' 5 steps and has error probability at most r, 
and on which M A k r (w) ^ N' kr {w). Let U±, . . . ,U S be all the partial functions defined on 
the strings of length at most 2' w '' 5 such that for all i € {1, . . . , s}, N Ui on input w runs in 
2M/5 s ^ e p S w jth error probability at most r. For an oracle A, let Ai ow denote its restriction 
to the strings of length at most 2' w " 5 . Then 

s 

Prob A (^ g E N>ktrtW ) =^2Piob A (M^ k:r (w) + N' k A r (w) \ A low = UA ■ Piob A (A low = UA. 



i=\ 



Now, Piob A (M A Ar (w) + N' A r {w) I A low = U t ) is the probability that M A ^ r {w) + N' k A {w) 
given that the regular queries of both machines are answered according to U{. Since 
the only queries besides those stipulated by Ui that are involved in the conditioned 
event U M A kr (w) ^ N' kr " are those used by Mjv,fc, r to simulate the random bits used 
by N k r l on w, it follows that the above conditioned probability is the error probabil- 
ity of N k ;(w) which is at most (l/k)2- { - 2 \ w \ +l \ It follows that Viob A {A G E Njkj1 . jW ) < 
(1/A . )2 -(2M+i) . ^ =1 Prob A (A low = UA < (l/fc)2-( 2 l-l +1 ). 

Let Ej^ kr denote the set U^£^jv,fc,r,w) where the union is taken over all strings 
w. Note first that if A Ej^ kr and if iV has probability error at most r, then 
M^ kr (w) = N A (w) on all inputs w on which iV runs in 2< w '' 5 steps. We have that 
Prob A (.4 G E NAr ) < E w P™b A (A G E N , k , r , w ) = (l/k)J2 w 2-^ w ^ = 1/k. Therefore 
the measure of C\ k >iEN,k,r is zero and thus the measure of A — Cik>iEN,k,r is one. We 
take B\ = r\N,r(<A— r\k>iEN,k,r), where the first intersection is taken over all probabilistic 
Turing machines N and rationals r such that < r < 1/2. The set B\ has measure one 
because it is a numerable intersection of sets of measure one. 

Let iV be a probabilistic Turing machine and A be an oracle in B\ such that N has 
bounded error probability at most r for rational r with < r < 1/2. It follows that 

9 



A € A — E^,k,r for some k. On all sufficiently long inputs w on which N runs in 2' w '' 5 
steps, Mjv,fc,r runs in time 2' w <> 4 ' — 2 and M- k r (w) = N A (w). This completes the proof of 



Claim 3.7. 



We now prove Claim |3.q , that is, we have to show that there is a set of oracles Bq having 
measure one in A, such that for every A £ Bo and every deterministic oracle machine M 
the following holds: for almost every input w, M either runs for more than 2' w << 4 — 2 steps 
or does not calculate gA (w). 

Thus, let M be a deterministic oracle machine that attempts to calculate gA- We modify 
M so that at the end of its computation, having a string s on its output tape, it asks the 
oracle A for the values of /i s i a(0 ) an d f\ s \,A{ s )- Let M' be the modified machine. The 
reason for this modification is so we are sure there is a "collision" if M has the correct string 
s, as we will now make formal and clear. We say that for an oracle A, two strings x and y 
collide if f\ x \ t A( x ) = f\y\,A{v)- Let us fix an input w and let n = \w\. Observe that 

(3. a) ProbA(Af runs at most 2 n ' 4 — 2 steps and calculates gA(w)) < 
Probyi(M / queries at most 2 n ' 4 strings and 

two queried strings of length 2n collide with respect to A), 

because if M is correct on w, then M at the end of its computation will ask 2n and 
S2n,A and these will collide. 

We assume without loss of generality that for each z and for each oracle A it holds that 
M (z) does not query the same string twice during its run. Let x±,X2, • • • , Xfc De J i n the 
order in which they are queried, the strings that M' queries on input w. Of course, k and 
the set of strings are random variables (in other words they depend on the oracle A) . We 
will show the following fact. 

Fact 3.8 p w =^ e ^Prob^(fc < 2< w '' 4: and there is a collision for a pair of strings of length 
2\w\ in {xi,... ,x k }) < 2~ 1 - 4 H. 

Assuming that the fact holds, we have 

oo oo oo 

(3. b ) E fc = E E Pw = ^' 2rlM =T, 2 ~ Mt <°°' 

w&{o,i}* fco«, 6 {o,i}« e=o e=o 



By the Borel-Cantelli Lemma and taking into account (3.a) it follows that 



Prob^for infinitely many inputs w, M (w) makes at most 2< w \>* — 2 steps 

and computes gA (w)) = 0. 



10 



Since there are a countable number of deterministic oracle machines M, we obtain that 

Prob^ (there exists M that, on infinitely many inputs w, runs at most 2< w '> 4: — 2 steps 

and that computes gA(w)) = 0. 

Consequently, 

(3.c) 

Prob^for all M, M , on almost every input w, either runs more than 2' W <> A — 2 steps 

or does not compute gA.(w)) = 1, 
which is the desired assertion. 



We still must prove Fact 3.5. In this proof, for brevity, collisions will always refer to 
strings of length 2n and will always be with respect to the oracle A. We will drop the 
subscript from the functions /, with the understanding that the missing subscript is equal 
to the length of the argument. We will also write Prob(. . . ) for Prob y i(- • • ) when this is 
clear from the context. 

Decomposing the event u k < 2 n ' and collision in {xi, . . . , £fc}" into mutually disjoint 
events, we have 

(3.d) Prob(A; < 2 n ' and collision in {xi, . . . , Xfc}) = 

Prob(/c < 2 n ' and collision in {#1,0:2}) + 
Prob(A: < 2 n ' and X3 collides with x\ or x<i and no collision in {3:1,3:2}) + 

Prob(A; < 2 n ' and x^ collides with x\ or X2 or . . . or Xk-i and no collision in {x\, ■ ■ ■ ,Xk—x}) 

nn/4 

< 2, Prob(xj collides with x\ or X2 or . . . or Xj-i and no collision in {x\, . . . , Xj-.\}), 
3=1 

with the convention that events involving some Xj with j > k are empty (and thus have 
probability zero). We look at the general term in the above sum. 

(3.e) Prob(xj collides with x\ or x<± or . . . or Xj-\ and no collision in {x±, . . . , x«_i}) = 

\ Prob(xj collides with x\ or . . . or Xj-± and no collision in {x±, . . . , Xj—i} \ 

(Vi € {1,... ,j})[xi = Ui] and (Vi G {1,... ,j- 1})[/a(uj) = o»]) x 

Prob((Vi G {1, . . . ,j})[xi = u^ and (Vi G {1, . . . , j - 1})[/a(«j) = a,]), 

where the sum is taken over all j-tuples (m, . . . ,Uj) of distinct strings in {0, 1}* (that we 
consider as potential queries of M' on w) and over all possible answers (01,... ,Oj-i) to 
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the queries u\, . . . , Uj-\ such that the possible answers of length 2n — 1 are distinct (these 
are answers to queries of length 2n and they are distinct because there is no collision in 
{«!,... ,«j_i}). Let us fix a tuple (ui,... ,Uj) of possible distinct queries and a tuple 
(ai, . . . , cij-i) of possible answers as above and let us consider the probability 

Prob(xj collides with x\ or . . . or Xj—\ and no collision in {x\, . . . ,Xj-\} \ 

(Vt G {1,... ,j})[xi =Ui] and (Vie {1, . . . , j - l})[f A (ui) =a { }), 

which is of course equal to 

(3.f) Prob(iij collides with u\ or . . . or Uj-\ and no collision in {u\, . . . ,Uj-i} 

(Vi 6 {1,... ,j})[xi = Ui] and (Vi G {1, . . . , j - 1})[/a(uj) = 0»]). 

Note that the condition "no collision in {ui,... , Uj-i}" is subsumed by the condition 
"(Vi G {1, . . . ,j — 1})[/a(uj) = Oj]" because the answers Oj, for i = 1, . . . , j — 1, are 
distinct with respect to those of them of length 2n — 1. The conditions fA(ui) = a-i, 
for i = 1, ... ,j — 1, completely determine whether it is the case that for all i G 
{1, . . . ,j}, the i-th query is Uj, i.e., whether for all i G {1,... ,j}, Xi = u.- L . Thus the 
event {no collision in {u\, ■ ■ ■ ,Uj-\} and (Vi G {1, . . . ,j})[xi = Ui] and (Vi G {1, . . . ,j — 
1})[/a(""j) = ai]} is either empty or is equal to the event {(Vi G {1, . . . , j — 1})[/a(^«) = cii]}- 



If it is empty, the probability in equation (3J) is zero (by the standard convention regarding 



conditional probabilities). In the other case, the probability in equation ([T|) is equal to 

Prob(itj collides with {u\, . . . ,«j-i} [ (Vi G {1, . . . , j — 1})[/ J 4(nj) = Oj]) 

Prob(uj collides with {u\, . . . ,Uj-±} and (Vi G {1, . . . ,j — l})[fA{ui) = a?.]) 
" Prob((Vi G {1, . . . ,j-l})[fA(ui)=ai\) ' 

If \uj\ 7^ 2n the above conditional probability is zero. So, we will consider that \uj\ = 2n. Let 
U = {ui | i G {1, . . . ,j— 1} and \v,i\ = \uj\ = 2n} and let W = {u±, . . . , Uj_i} — U. Note that 
\\U\\, the cardinality oiU, is at most j — 1. Observe also that Uj cannot collide with elements 
from W and that the events a Uj collides with some element in U and /a('Ui) = o«> for all Ui 
in U " and a fA(ui) = o«, for all Uj in W" are independent. The events a fA(ui) = Oi, for all 
Ui in [/" and "/a(^) = fli, for all Uj in VF" are also independent (the choices made in the 
construction of the oracle at different lengths are independent). Therefore the probabilities 
involving strings u €W cancel and it remains to evaluate 

Prob(nj collides with {uj | u; L G U} and (\/m G C/)[/a(wj) = a«]) 
( ' §) Prob(0/Ui €U)[fA(ui)=ai]) ' 

The events in the above equation depend on the choices of the string s and of the permuta- 
tion that determines J2n,Ai an d these two choices are independent, as we have observed when 
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we built the probability measure. Let us focus on the event appearing in the numerator. 
For this event to hold, the string s, which is responsible for the collisions, must be chosen 
so as to make Uj collide with one of {ui \ Ui £ U}, and so as to prevent any collision in U 
(because the "answers" aj to the "queries" U{ in U are distinct). If we fix one such string s, 
the 2 2n ~ 1 pairs (u, 'U©s) ue { 0) i}2n are determined, and the permutation defining A at length 
In must be chosen so as to map Ui to a» for all U{ € U. The number of such permutations 
does not depend on the fixed string s. Thus, the numerator is equal to the probability over 
A that S2n,A is in the set {uj © ui \ ui G U} \ {u v \ u, v E U and u ^ v} times the 
probability that (for fixed s) the permutation defining A at length In is compatible with 
fA(ui) = a i, u i € U (a probability that as noted above is the same for each s). The first 
factor is at most 

i-i 

< ' 



2 2n -\ ~ 2 2n - 1 ' 



Similarly, the denominator in equation ( |3.g|) is equal to the probability that s is a string 
of length 2n different from 2n and not in the set {u © v \ u,v G U and «/»} times the 
probability that (for fixed s) the permutation defining A at length 2n is compatible with 
fA(ui) = <Zj, Ui a U (and thus the second factor of the denominator is the same as the 
second factor of the numerator). The first factor of the denominator is at least 

2 2n - 1 - \\U\\{\\U\\ - l)/2 > 2 2n - 1 - (j - l)(j - 2)/2 



2 2n - 1 ~ 2 2n - 1 

Consequently, the fraction in equation (|3.g| ) is bounded from above by 

i-i 



2 2n _ ]_ _ 0-1)0-2) 

Substituting in equation (|3.eD, we obtain that 



Prob(xj collides with xi or X2 or . . . or Xj_i and no collision in {xi, . . . , Xj~i}) 

^ — (7-l)(7-2) ^ Pr ° b (( Vi E i 1 '--- >i})[^ =W «] and ( Vi G I 1 '-" >J- 1 })[/A(Ui) =Oj]) 



2 2n _ x _ 0-1)0-2) 



j-l 
< J 



2 2n _l_ 0-1)0-2) 
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Thus, returning to equation ( |3.d| ), we obtain that 

on/4 

J ~ 1 



Prob(/c < 2 n ' and collision in {x\, . . . , x^}) < \, C-\\i --21 

on/4 



i=2 * ' 2 

on/4 



< 



£ 



22n _ 1 _ (2 n / 2 - 1) 

j=2 > 



2 n/2 1 1 

~ 2 2n - 2™/ 2 ~~ 2 3 ™/ 2 - 1 ~ 



1.4n : 



which ends the proof of Fact 3.8 



We mention that though it sometimes happens in complexity theory that function results 
immediately yield corresponding language results, it is not the case that our main result 
implies, at least in any obvious way, the corresponding language result .0 

Another observation is that the proof of Theorem |3,2| actually shows the following 
stronger result. 

Theorem 3.9 There is a constant e > and a function oracle O relative to which there is 
a problem B computable in exact quantum polynomial time such that if M is any bounded- 
error classical Turing machine, then on all but a finite number of inputs w on which the 
machine correctly solves B, M requires more than 2 e ' w < steps. 

In other words, even classical machines that are allowed to err infinitely many times in 
their computation of the problem B still need more than 2 en time on almost every input 



on which they are correct. The result follows immediately from equation ^x| and from the 
simulation of bounded-error machines by deterministic machines, both relativized with a 
random oracle, via the Bennett-Gill technique. 

5 Let us be more explicit. One might well wonder: 

"It seems that your function result will easily give the analogous language result. Why? Basically, by 
using the standard way we coerce function complexity into language complexity, i.e., via making a language 
that slices out bits or that prefix searches. For example, using the first of these approaches, take your hard 
function, call it g. Now consider the function h defined as h({y, i)) = the i'th bit of g(y). Since g truth-table 
reduces to h, it follows that if h has fast algorithms then g has fast algorithms (the relation depending on the 
length of the query strings and the number of queries, but in fact in our case these are such that one could 
make a good claim). But you prove/claim that g does not have fast classical bounded-error algorithms, 
so neither can h. And certainly (this actually is the case) Brassard-H0yer easily still gives us that h is 
quantum-easy to compute." 

However, this reasoning is not valid. The above argument would be fine if we were dealing with infinitely- 
often hardness. However, we are seeking to prove almost-everywhere hardness, and in fact the bit-slices of 
an a.e.-hard function are not necessarily a.e.-hard. To see this, consider any a.e.-hard function and prefix a 
1 to all its outputs. This is still a.e.-hard but its bit-slices are infinitely often trivial, namely, the first bit of 
each output is 1. Of course, our hard function does not seem to have any such "obvious" or easy bits, but 
this is just an informal, tempting hope rather than a valid proof. 
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